The WordPress CleanTalk plugin currently has a serious authentication bypass vulnerability, identified as CVE-2024-10542 and CVE-2024-10781, which allows an unauthenticated attacker to bypass security measures and perform actions that would normally require valid authentication. In particular, an attacker could install and activate arbitrary plugins on a vulnerable site, potentially leading to remote code execution and other malicious activities, so customers and businesses using the service should update to the latest version as soon as possible.

Our AIWAF products continuously monitor vulnerabilities that occur using services such as WordPress CleanTalk, and we will respond promptly to related vulnerabilities that are discovered in the future.

1. Overview

CleanTalk is an anti-spam and security plugin used in WordPress, and is a cloud-based service. It is primarily used to block spam comments and illegal registration attempts, and we have analyzed the authentication bypass vulnerabilities, CVE-2024-10542 and CVE-2024-10781, in the service.

Source : https://cyberinsider.com/flaws-in-cleantalk-anti-spam-plugin-affect-over-200000-wordpress-sites/

2. Attack Type

CVE-2024-10542 is an authentication bypass via DNS spoofing vulnerability in the WordPress CleanTalk plugin in all versions prior to 6.43.2 due to a reverse DNS spoofing of the checkWithouthToken function, which allows unauthenticated attackers to install and activate arbitrary plugins, which could be leveraged to achieve remote code execution.

ex) Attack syntax

GET /?spbc_remote_call_action=<Plugin name>&plugin_name=antispam&ip=cleantalk.org

CVE-2024-10781 is an authentication bypass vulnerability due to missing api_key value validation in the WordPress CleanTalk plugin, in all versions prior to 6.44, due to a missing empty value check for the api_key value in the perform function, which allows unauthorized arbitrary plugins to be installed and activated by an unauthenticated attacker, which could be leveraged to achieve remote code execution.

ex) Attack syntax

GET /?spbc_remote_call_token=hashed_token_value&action=some_action

3. Response

CVE-2024-10542 is addressed in the Spam protection, Anti-Spam, FireWall by CleanTalk 6.44 patch, and CVE-2024-10781 is addressed in the Spam protection, Anti-Spam, FireWall by CleanTalk 6.45 patch.

The vulnerabilities appear to be attacked using the request value of spbc_remote_call(action|token), and our AIWAF product will be further analyzed and responded to as a pattern.

4. Conclusion

The WordPress CleanTalk plugin is a critical authentication bypass vulnerability, currently identified as CVE-2024-10542 and CVE-2024-10781, which could allow an unauthenticated attacker to bypass security measures and perform actions that would normally require valid authentication. Customers and businesses using the service should update to the latest version as soon as possible, especially since an attacker could install and activate arbitrary plugins on vulnerable sites, potentially leading to remote code execution and other malicious activity.

Our AIWAF products continue to monitor services like WordPress CleanTalk for vulnerabilities caused by their use, and we will continue to respond quickly to any related vulnerabilities that are discovered.

5. References

• https://ggonmerr.tistory.com/520
• https://nvd.nist.gov/vuln/detail/CVE-2024-10542
• https://nvd.nist.gov/vuln/detail/CVE-2024-10781
• https://github.com/ubaii/CVE-2024-10542
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cleantalk-spam-protect/spam-protection-anti-spam-firewall-by-cleantalk-644-authorization-bypass-due-to-missing-empty-value-check-to-unauthenticated-arbitrary-plugin-installation